Data from 500,000 people who volunteered their health information to the UK Biobank has been hacked and offered for sale online.
Technology Minister Ian Murray told the Commons on Thursday: “On Monday, the 20th of April the UK Biobank charity informed the Government they had identified their data had been advertised for sale by several sellers on Alibaba’s ecommerce platforms in China.
“Biobank told us that three listings that appear to sell … Biobank participation data had been identified. At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers.
“Additional listings offer support for applying for legitimate access to UK Biobank or analytical support for researchers who already have access to the data.”
Mr Murray said he wanted to reassure the House that Biobank had advised the data did not contain participants’ names, addresses, contact details or telephone numbers.
“The Government has spoken to the vendor today, and they did not believe that there were any purchases from the three listings before they were taken down,” he said.
UK Biobank is a huge database that contains genetic, biological, and health data from 500,000 UK participants.
It was established to advance medical research and scientists from across the world can use its data – with the personal information removed – for studies that are deemed in the public interest.
All of the participants were aged between 40 and 69 years old when they joined the study between 2006-2010.
Their data is used to track their long-term health and help researchers to understand, prevent and treat serious illnesses.
So far, it has been used to achieve improvements in detection and treatment of dementia, cancers and Parkinson’s.
UK Biobank has referred itself to the Information Commissioner’s Office following the hack, Mr Murray said.
In a statement, he told the Commons: “Once the Government was made aware of the situation, we took immediate action to protect participants’ data. Firstly, we worked with Biobank, the Chinese government and the vendor, to ensure that those three listings – that UK Biobank informed us (of), including participant data – had been removed.
“I want to thank the Chinese government for the seriousness with which they work with us to help remove these listings.
“Secondly, we ensured that the Biobank charity revoked access to three research institutions identified as the source of that information.
“And thirdly, we have asked that the Biobank charity pause further access to its data until they put in place a technical solution to prevent data from its current platform from being downloaded in this way again. I can confirm to the House that this pause is now in place.”
In a statement published on Thursday, Professor Sir Rory Collins, chief executive and principal investigator of UK Biobank, told those in the study: “We would like to inform you about an incident involving UK Biobank data.
“We apologise to our participants for the concern this will cause, and we hope to provide reassurance by outlining the serious actions we are taking in response.
“Your personally identifying information in UK Biobank is safe and secure.
“Listings offering access to UK Biobank data (which did not contain any personally identifying information) were found on a Chinese consumer website. These listings were swiftly removed before any purchases were made.
“We are putting in place additional security measures to prevent this happening again. We will conduct a comprehensive investigation into this incident.
“Since UK Biobank started to make your de-identified data available for research in 2012, it has led to thousands of discoveries that are already leading to improvements in the prevention and treatment of many different diseases.”
